plainstamp 0.2.0 → 0.3.0

package/CHANGELOG.md

@@ -16,6 +16,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
 
+## [0.3.0] — 2026-05-08
+
+### Added
+
+- HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (45 CFR § 92.210, May 6, 2024 final rule). Covered entities (most healthcare providers receiving federal financial assistance, many health insurers, HHS-administered programs) must identify uses of AI/ML clinical decision-support tools and make reasonable efforts to mitigate algorithmic discrimination. Compliance deadline May 1, 2025 — now in effect and enforceable. Use case `healthcare`.
+- Second SEO guide: `docs/guides/colorado-ai-act-sb-24-205-builder-guide.md` — long-form coverage of Colorado's comprehensive AI Act, the high-risk AI system definition, deployer/developer obligations, the consumer-disclosure components, the June 30, 2026 deadline, and how SB 24-205 stacks with parallel state and federal AI rules. Targets the high-traffic Colorado-compliance search vertical (deadline pressure + uncertainty about scope).
+- Rule count 19 → 20. Tests still 51/51 passing.
+
 ## [0.2.0] — 2026-05-08
 
 ### Added

package/docs/guides/colorado-ai-act-sb-24-205-builder-guide.md

@@ -0,0 +1,216 @@
+# Colorado AI Act (SB 24-205): a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your AI product is sold to or used by people in Colorado and any of
+its decisions could affect a person's access to housing, employment,
+education, healthcare, financial services, government services, legal
+services, or essential goods and services, **the Colorado AI Act
+applies to you**. The rule is one of the strictest comprehensive AI
+laws in the U.S. and its consumer-disclosure obligation goes into
+effect **June 30, 2026** after a delay from the original February 2026
+date. This guide walks through what the rule requires, what it does
+*not* require, and what to ship before the deadline.
+
+## What SB 24-205 actually does
+
+Colorado SB 24-205 (codified at Colorado Revised Statutes § 6-1-1701
+et seq.) creates obligations for two parties:
+
+- **Developers** of high-risk AI systems — entities that build and
+  deploy a high-risk AI system or substantially modify one.
+- **Deployers** of high-risk AI systems — entities that use a high-
+  risk AI system in their operations affecting Colorado consumers.
+
+A "high-risk AI system" is one that, when deployed, makes or is a
+substantial factor in making a "consequential decision" — defined to
+include decisions affecting access to or cost of:
+
+- Educational opportunities
+- Employment or employment opportunities
+- Financial or lending services
+- Essential government services
+- Healthcare services
+- Housing
+- Insurance
+- Legal services
+
+The Act layers two distinct sets of obligations: substantive (avoid
+algorithmic discrimination) and procedural (impact assessments, risk
+management, regulator notifications, consumer notices).
+
+## The consumer-disclosure obligation — what to ship
+
+The consumer-facing piece — the part most builders need to ship — has
+three components:
+
+### 1. Pre-decision disclosure (deployer obligation)
+
+Before a high-risk AI system makes a consequential decision about a
+consumer, the deployer must give the consumer:
+
+- A statement disclosing that a high-risk AI system has been used
+  in the consequential decision-making process.
+- A description of the high-risk AI system, its purpose, and how
+  it has been used.
+- The nature of the consequential decision.
+- Contact information for the deployer.
+- A description of any human components of the decision-making
+  process and how the AI system contributes to the decision.
+- A description of the consumer's rights under SB 24-205,
+  including the right to opt out of the processing of personal
+  data for profiling that produces legal or similarly significant
+  effects (under the Colorado Privacy Act), the right to correct
+  incorrect personal data, and the right to appeal an adverse
+  consequential decision.
+
+### 2. Adverse-decision notice (deployer obligation)
+
+If the high-risk AI system contributes to an adverse consequential
+decision, the deployer must additionally disclose to the consumer:
+
+- The principal reason(s) for the adverse decision.
+- The degree to which the AI system contributed to the decision.
+- The type of data processed by the AI system in making the
+  decision and the source of that data.
+- The right to correct incorrect personal data, the right to
+  appeal the adverse decision, and the right to opt out of
+  profiling.
+
+### 3. Public-facing statement (developer + deployer)
+
+Both developers and deployers must publish a public statement summarizing:
+
+- The types of high-risk AI systems they currently develop /
+  deploy.
+- How the entity manages known or reasonably foreseeable risks of
+  algorithmic discrimination.
+- The most recent date the public statement was updated.
+
+## What SB 24-205 does *not* require
+
+Common misconceptions worth clearing up:
+
+- **It is not a CCPA-style right of deletion**. SB 24-205 layers on
+  the existing Colorado Privacy Act for personal-data rights; it
+  doesn't create new general-purpose data rights.
+- **It does not require pre-approval or registration of every AI
+  system** with a Colorado regulator. Developers must notify the
+  Colorado Attorney General within 90 days of discovering that a
+  high-risk AI system has caused or is reasonably likely to have
+  caused algorithmic discrimination, but routine deployment doesn't
+  require pre-clearance.
+- **It does not apply to most generative AI consumer products**
+  unless a specific deployment of that product is itself a high-
+  risk AI system making consequential decisions. A general-purpose
+  LLM helping a user write an email is not a high-risk AI system;
+  the same LLM scoring resumes for an employer is.
+
+## The deadlines
+
+- **June 30, 2026** — consumer-disclosure obligations apply to
+  deployers (delayed from the original February 2026 date).
+- **Public statement and risk-management obligations apply on
+  the same date.**
+- **Algorithmic-discrimination notification to the Attorney General**
+  applies on the same date.
+
+## How SB 24-205 stacks with other AI rules
+
+Colorado SB 24-205 is part of a comprehensive U.S.-state AI regime
+that's emerging unevenly across jurisdictions. Builders deploying
+across multiple states need to layer obligations:
+
+- **California**: AB 2013 (training-data transparency, effective
+  2026-01-01); B&P § 17941 (bot disclosure); SB 942 (AI provenance);
+  the California Privacy Protection Agency's automated-decision-
+  making rulemaking.
+- **Illinois**: HB 3773 amending the Illinois Human Rights Act
+  (employment AI, effective 2026-01-01).
+- **Texas**: TRAIGA (HB 149, effective 2026-01-01) — government-
+  agency and healthcare-provider AI disclosure obligations.
+- **Utah**: SB 149 + SB 226 — GenAI disclosure in regulated
+  occupations.
+- **New York City**: Local Law 144 — AEDT bias audits for
+  employment AI.
+- **Maryland**: Labor & Employment § 3-717 — facial recognition
+  in interviews requires written consent.
+- **Federal**: EEOC technical assistance on Title VII selection
+  procedures; CFPB Circular 2023-03 on AI adverse-action notices;
+  HHS Section 1557 on patient-care decision support tools; FINRA
+  Regulatory Notice 24-09 on AI in member-firm communications.
+- **EU**: AI Act Articles 50(1) and 50(2); GDPR Article 22 on
+  automated decisions.
+
+A consumer-facing AI product operating across these jurisdictions
+needs disclosure copy for each — and the disclosures often differ in
+content, timing, and format. That's the maintenance problem
+`plainstamp` exists to solve.
+
+## How plainstamp helps
+
+`plainstamp` ships an `us-co-sb24-205-consumer-disclosure` rule that
+returns the live disclosure-element checklist for SB 24-205, ready-
+to-paste plain-language and formal-language templates, citation back
+to the Colorado Office of Legislative Legal Services source URL, and
+a `last_verified` date.
+
+Typical lookup for a deployer notifying a Colorado employment-AI user
+before a hiring decision:
+
+```bash
+npx plainstamp lookup --jurisdiction us-co \
+                      --channel email-transactional \
+                      --use-case employment-decisions
+```
+
+This returns the SB 24-205 consumer-disclosure rule. To pick up the
+parallel federal-floor obligation (EEOC technical assistance) and the
+parallel state-employment rules in other states the deployer
+operates in, query each jurisdiction in turn. plainstamp's
+parent-jurisdiction inheritance rule means a `us-co` query also
+matches federal-level `us` rules.
+
+For the public-facing statement (developer or deployer) and the
+internal-governance items (impact assessments, risk-management
+program), consult Colorado Attorney General published guidance
+directly — those are above plainstamp's scope (which covers per-
+interaction or per-decision disclosure text, not corporate
+governance program documentation).
+
+## The minimum viable Colorado disclosure
+
+If you ship one thing this quarter, ship the pre-decision disclosure:
+
+1. A clear statement that a high-risk AI system is being used in
+   the consequential decision.
+2. A description of the AI system's purpose and role in the
+   decision.
+3. A description of any human components of the decision.
+4. Contact information for the deployer.
+5. A summary of the consumer's appeal, correction, and opt-out
+   rights, with a path to exercise them.
+
+If your AI system can produce adverse outcomes (denials, rejections,
+adverse employment actions, etc.), also ship the adverse-decision
+notice with principal reasons, the AI's contribution, and data-source
+disclosure.
+
+## Source-of-truth links
+
+- **Colorado SB 24-205 — full text and legislative history**
+  ([leg.colorado.gov](https://leg.colorado.gov/bills/sb24-205))
+- **Colorado Attorney General — AI Act guidance and rulemaking**
+  ([coag.gov](https://coag.gov/))
+- **Colorado Privacy Act**, into which SB 24-205 connects for personal-
+  data rights ([leg.colorado.gov](https://leg.colorado.gov/))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp on npm`](https://www.npmjs.com/package/plainstamp)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plainstamp",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "AI disclosure compliance assistant — generates legally-grounded AI disclosure text per (jurisdiction × channel × use-case) and tracks regulatory updates. Operated by an autonomous AI agent under KS Elevated Solutions LLC.",
   "type": "module",
   "license": "MIT",

package/rules/seed.json

@@ -859,6 +859,53 @@
         "formal": "Notice under FINRA Regulatory Notice 24-09 and Rules 2210, 2090, 2111, 3110, 4511, and 3220: This communication was generated, in whole or in part, with the assistance of artificial-intelligence technology. The member firm has reviewed and supervised this communication under its written supervisory procedures consistent with FINRA Rule 3110, and the communication satisfies the standards of FINRA Rule 2210 governing communications with the public. Any investment recommendation contained herein has been evaluated for suitability under FINRA Rule 2111 against the customer's investment profile under FINRA Rule 2090. The firm retains records of this communication under FINRA Rule 4511. The member firm remains responsible for AI tool outputs whether the tool is internally operated or provided by a third-party vendor."
       },
       "notes": "FINRA Regulatory Notice 24-09 is reminder-and-clarification guidance — it does not create new rules. The binding obligations are the existing FINRA rules (2210, 2090, 2111, 3110, 4511, 3220), which apply by their existing terms to AI-driven communications, recommendations, and records. Member firms (broker-dealers and their associated persons) are bound; non-member firms are not directly bound by FINRA rules but may face parallel obligations under SEC rules (e.g., Rule 17a-4 books-and-records, Investment Advisers Act fiduciary duty for IA-registered firms) — this rule's `jurisdiction` is `us` because FINRA is a self-regulatory organization with national scope, not a single-state regulator. The 2023 SEC Staff Bulletin on conflicts of interest for AI/PDA-using broker-dealers and investment advisers (and the SEC's proposed PDA rule, Rel. No. 34-97990) layers additional obligations specifically around conflicts; firms with PDA / AI advisory tools should consult both. FINRA expects firms to update their WSPs to specifically address AI tool use; using AI without WSP coverage is an immediate Rule 3110 supervision deficiency. Firms should also be aware of state-level adverse-action and disclosure overlays (e.g., NYDFS's October 2024 cybersecurity / AI guidance for licensed entities)."
+    },
+    {
+      "id": "us-hhs-section-1557-pcdst-2024",
+      "jurisdiction": "us",
+      "channels": ["ai-generated-content", "about-page", "privacy-policy"],
+      "use_cases": ["healthcare"],
+      "severity": "mandatory",
+      "short_title": "HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (2024 final rule)",
+      "summary": "On May 6, 2024, the U.S. Department of Health and Human Services Office for Civil Rights published a final rule (89 Fed. Reg. 37522) implementing Section 1557 of the Affordable Care Act that imposes nondiscrimination obligations on covered entities' use of 'patient care decision support tools' (PCDSTs) — defined to include automated and non-automated tools, including artificial-intelligence and machine-learning-based clinical decision support. Covered entities (most healthcare providers receiving federal financial assistance, many health insurers, and HHS-administered health programs) must (a) make reasonable efforts to identify uses of PCDSTs in their health programs and activities that employ input variables or factors that measure race, color, national origin, sex, age, or disability; AND (b) make reasonable efforts to mitigate the risk of discrimination resulting from the tool's use. The compliance deadline for the PCDST nondiscrimination obligation was May 1, 2025; the obligation is now in effect and enforceable. Penalties for Section 1557 violations include loss of federal financial assistance, OCR-imposed corrective-action plans, and potential private-right-of-action claims for discrimination.",
+      "required_elements": [
+        {
+          "id": "pcdst-identification",
+          "description": "Reasonable efforts to identify uses of PCDSTs (including AI/ML clinical decision support tools) in the entity's health programs and activities.",
+          "required": false,
+          "example": "Internal inventory and documentation of all AI/ML clinical decision support tools deployed in patient care, with notation of input variables and use cases. (System / governance requirement; does not require per-patient disclosure.)"
+        },
+        {
+          "id": "pcdst-mitigation",
+          "description": "Reasonable efforts to mitigate the risk of discrimination resulting from PCDST use, including documentation of mitigation steps and ongoing monitoring.",
+          "required": false,
+          "example": "Documented mitigation procedures, periodic testing for adverse impact across protected classes, and a designated responsible person or office. (System / governance requirement.)"
+        },
+        {
+          "id": "patient-facing-pcdst-notice",
+          "description": "Patient-facing notice that AI/ML decision-support tools may inform clinical decisions, where the entity's notice-of-availability obligations under § 92.11 apply (translation requirements + civil rights coordinator + grievance procedures).",
+          "required": true,
+          "example": "Notice: Some clinical decisions in your care may be informed by automated decision-support tools, including artificial intelligence. You have the right to discuss any care decision with your provider. If you believe you have experienced discrimination on the basis of race, color, national origin, sex, age, or disability in connection with these tools or any other aspect of your care, contact our Civil Rights Coordinator at [contact] or file a complaint with the HHS Office for Civil Rights."
+        },
+        {
+          "id": "civil-rights-coordinator-designation",
+          "description": "Designation of a Civil Rights Coordinator responsible for the entity's Section 1557 compliance, including PCDST nondiscrimination obligations. (Governance, not per-patient text.)",
+          "required": false
+        }
+      ],
+      "citation": {
+        "statute": "Section 1557 of the Patient Protection and Affordable Care Act (42 U.S.C. § 18116); 45 CFR Part 92, as amended by the May 6, 2024 final rule, 89 Fed. Reg. 37522",
+        "section": "45 CFR § 92.210 (Discrimination through the use of patient care decision support tools)",
+        "source_url": "https://www.federalregister.gov/documents/2024/05/06/2024-08711/nondiscrimination-in-health-programs-and-activities",
+        "publisher": "U.S. Department of Health and Human Services, Office for Civil Rights"
+      },
+      "effective_date": "2025-05-01",
+      "last_verified": "2026-05-08",
+      "template": {
+        "plain": "Notice — Use of Decision-Support Tools in Your Care: Some clinical decisions in your care may be informed by automated decision-support tools, including artificial-intelligence and machine-learning systems. These tools assist your healthcare team and do not replace the judgment of a licensed clinician. You have the right to discuss any care decision with your provider. If you believe you have experienced discrimination on the basis of race, color, national origin, sex, age, or disability in connection with these tools or any other aspect of your care, please contact our Civil Rights Coordinator at [contact] or file a complaint with the HHS Office for Civil Rights at https://www.hhs.gov/ocr/.",
+        "formal": "Notice under Section 1557 of the Patient Protection and Affordable Care Act (42 U.S.C. § 18116) and the implementing regulations at 45 CFR Part 92 (as amended by the May 6, 2024 final rule, 89 Fed. Reg. 37522): The covered entity uses one or more patient care decision support tools, including artificial-intelligence and machine-learning-based clinical decision support, in its health programs and activities. The covered entity has identified its uses of such tools and is making reasonable efforts to mitigate the risk of discrimination on the bases protected by Section 1557 (race, color, national origin, sex (including sex characteristics, sexual orientation, gender identity, and pregnancy or related conditions), age, and disability) resulting from the tools' use, in accordance with 45 CFR § 92.210. For the entity's Civil Rights Coordinator and Section 1557 grievance procedures, see [contact]."
+      },
+      "notes": "Section 1557's PCDST obligation is governance-heavy — most of the compliance work is internal (identifying tools, documenting mitigation, designating coordinators) rather than patient-facing text. The patient-facing element is the Section 1557 notice-of-availability under § 92.11 plus, where the entity exposes AI-informed decisions to patients, a clear acknowledgment that automated tools may inform clinical decisions and a path to discuss with a clinician. Covered entities include most healthcare providers receiving any form of federal financial assistance (Medicare-participating providers, Medicaid-participating providers, federally-qualified health centers, etc.), all health insurers in HHS-administered marketplaces, and HHS itself. The 'reasonable efforts' standard is intentionally flexible — OCR has stated in commentary that what constitutes 'reasonable' will scale with the entity's size and resources, but documentation is essential. PCDSTs explicitly include AI/ML decision-support tools and (per OCR commentary) tools that produce or use clinical scores (e.g., Epic Sepsis Model, Beth Israel Discharge Risk score, etc.). Federal funding loss is the principal sanction; OCR can also impose corrective action plans. State-level overlays may apply (e.g., California SB 1120 — Physicians Make Decisions Act, requiring physician review of AI-driven coverage denials in health plans — effective 2025-01-01). Stack with HIPAA Privacy Rule (45 CFR Part 164) when patient information is processed; stack with state AI hiring/employment-decision laws when the PCDST is used in employment of healthcare workers."
     }
   ]
 }